Locating hidden brand impersonation infrastructure using Silent Push Web Scanner

Challenge: Gathering actionable web content and DNS data at scale 

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

Our customer – a large U.S. retail organization – was facing difficulties scanning and analysing vast amounts of public web content and DNS data, in the hunt for brand impersonation domains and portal spoofing infrastructure. 

The company has a global presence in the retail space, and are considered a high value target by APT groups. One such group, FIN7, are known for sophisticated phishing tactics that we published on this year

The security team was tasked with using multiple platforms to collect and corroborate data on potential impersonation domains, and was on the lookout for a unified scanning and analysis solution that didn’t require jumping between vendors to validate intelligence as true positive and actionable. 

The incumbent solution did not offer high confidence intel that was easy to access, and validated as malicious at point of collection. The CTI team found themselves wasting time confirming or rejecting indicators in their alert queue, and needed to streamline the whole process to ensure that tooling produced a better ROI, and true positive domains were easier and quicker to find. 

Solution: Using Silent Push Web Scanner to reveal IOFA™ 

Silent Push Web Scanner is a feature of Community and Enterprise editions that allows users to scan the clearnet and darkweb for live and historic Indicators of Future Attack™ (IOFA™). 

From a single origin point, Web Scanner can be used to quickly reveal linked phishing and spoofing content across 150+ searchable parameters applied to each returned domain and IP, including proprietary hash values not used by any other vendor. 

Historic result sets make it easy for teams to establish precisely how an adversary is managing and deploying their infrastructure over time, to evade detection, including: 

  • Hosting providers 
  • JavaScript 
  • On-page content 
  • Favicon usage 
  • Domain naming conventions 
  • HTML data 
  • Risk scores 

Our customer was able to construct a single query that scraped the global IP range for domains attempting to mimic their own legitimate infrastructure, and use the underlying DNS data to traverse across previously unknown hosting clusters to identify domains and IPs engaged in live and historic threat activity. 

As well as providing more actionable insight on hidden and known infrastructure targeting the brand and supply chain, Web Scanner allowed the CTI Team to consolidate multiple scanning and analysis tools into one platform, cutting costs, driving productivity, and improving key metrics such as MTTD and MTTR. 

The Silent Push Difference: Proprietary Behavioral Analytics 

Cyber criminals deploy brand impersonation domains to a series of patterns. Patterns have rules. Rules are searchable Silent Push allows teams to identify and track the underlying TTPs that are used in an attack, rather than focusing on the thin end of the wedge – the domains themselves. 

Web Scanner allows teams to track the automated management of pre-weaponized attacker domains and IPs, with parameters and search methods unique to Silent Push, that reveal traceable behavioral fingerprints linked to specific adversaries and attack vectors.

This enables threat hunters and security analysts to gather large amounts of information on an attack vector at scale, and cut through the noise to deliver true positive IOFA™ across a security stack using proprietary fields and features that aren’t available through any other vendor. 

Learn more about our unique approach to preemptive threat intelligence 

Find out how Silent Push helps you to locate hidden and known threat infrastructure, and stop digital assaults at the source before they occur with Indicators Of Future Attack (IOFA)™ data. 

Contact us here for more information. 

The post Locating hidden brand impersonation infrastructure using Silent Push Web Scanner  appeared first on Silent Push.

Article Link: Locating hidden brand impersonation infrastructure using Silent Push Web Scanner  - Silent Push